CVE-2023-26343 – CVE-2023-26343 is an out-of-bounds read vulnera... (How to Fix)

Q: What is the severity of CVE-2023-26343?

CVE-2023-26343 has a CVSS score of 5.5 (MEDIUM). CVE-2023-26343 is an out-of-bounds read vulnerability in Adobe Dimension that could allow an attacker to read sensitive memory information. This could potentially bypass security mitigations like ASLR, though exploitation requires user interaction through opening a malicious file. Users of Adobe Dimension versions 3.4.7 and earlier are affected.

📋 TL;DR

CVE-2023-26343 is an out-of-bounds read vulnerability in Adobe Dimension that could allow an attacker to read sensitive memory information. This could potentially bypass security mitigations like ASLR, though exploitation requires user interaction through opening a malicious file. Users of Adobe Dimension versions 3.4.7 and earlier are affected.

💻 Affected Systems

Products:

Adobe Dimension

Versions: 3.4.7 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default.

📦 What is this software?

Dimension by Adobe

View all CVEs affecting Dimension →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could bypass ASLR protections and potentially chain this with other vulnerabilities to achieve arbitrary code execution or sensitive information disclosure.

🟠

Likely Case

Limited information disclosure about memory layout, potentially aiding in further exploitation attempts against the system.

🟢

If Mitigated

With proper controls, the impact is limited to potential memory layout information disclosure without direct code execution.

🌐 Internet-Facing: LOW - Exploitation requires user interaction and opening malicious files, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or malicious files, but still requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and knowledge of memory layout.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.8 or later

Vendor Advisory: https://helpx.adobe.com/security/products/dimension/apsb23-20.html

Restart Required: Yes

Instructions:

1. Open Adobe Dimension. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 3.4.8 or later. 4. Restart the application.

🔧 Temporary Workarounds

Restrict file opening

all

Only open Dimension files from trusted sources and implement file type restrictions.

Application sandboxing

all

Run Adobe Dimension in a sandboxed environment to limit potential impact.

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of unauthorized files
Deploy endpoint protection with file reputation services to detect malicious files

🔍 How to Verify

Check if Vulnerable:

Check Adobe Dimension version in Help > About Adobe Dimension. If version is 3.4.7 or earlier, you are vulnerable.

Check Version:

Not applicable - check via application GUI

Verify Fix Applied:

Verify version is 3.4.8 or later in Help > About Adobe Dimension.

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Unexpected file opening events in Dimension

Network Indicators:

Downloads of suspicious .dim or other 3D file formats

SIEM Query:

source="*adobe*" AND (event="crash" OR event="file_open") AND process="Dimension.exe"

📊 Metadata

CVE ID: CVE-2023-26343

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-125

Published: March 28, 2023

Last Updated: November 21, 2024

🔗 References

https://helpx.adobe.com/security/products/dimension/apsb23-20.html Vendor Advisory
https://helpx.adobe.com/security/products/dimension/apsb23-20.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26343, you might also want to check these: